manifoldcf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Karl Wright <daddy...@gmail.com>
Subject Re: How to check Sharepoint ACLs into Solr using MCF 1.5.1.
Date Wed, 11 Jun 2014 10:22:59 GMT
Looking at the REST api, it seems like it is not a true stateless REST
api.  Apparently, there is a session cookie required (?).  For example, see:

http://docs.alfresco.com/4.0/references/RESTful-RepositoryLoginticketGet.html

That will (somewhat) complicate things; it's decidedly non-standard.
Also, I don't see any way still to get access tokens given a user:

http://docs.alfresco.com/4.0/references/RESTful-Person.html

Do you see any way to do this?

Karl



On Wed, Jun 11, 2014 at 5:24 AM, lalit jangra <lalit.j.jangra@gmail.com>
wrote:

> Thanks Karl,
>
> Sadly this confirms that neither CMIS nor Alfresco connectors support ACL
> indexing and storage. I checked into Alfresco connector code but nothing
> has been mentioned about ACL indexing & storage.
>
> Next alfresco does support REST based API very well and infact REST is
> used in Alfresco all over the place. So we can definitely write some better
> stuff here. For documentation around REST usage in alfresco, please refer
> to below URLs. Latest version of alfresco is 4.2 and a lot has been changed
> into it for almost everything to make things simpler and efficient.
>
> http://docs.alfresco.com/4.0/concepts/API-intro-4.html
> http://wiki.alfresco.com/wiki/Repository_RESTful_API_Reference
>
> These pretty much cover features provided by REST into alfresco and we can
> definitely start from here & do let me know for any more documentation.
> Every alfresco instance supports REST based processing so testing REST is
> not a tedious task.
>
> In the meantime i am checking GitHub to find if something is already
> available.
>
> Regards.
>
>
> On Wed, Jun 11, 2014 at 9:50 AM, Karl Wright <daddywri@gmail.com> wrote:
>
>> Hi Lalit,
>>
>> The best way to start is to describe the Alfresco server you are trying
>> to crawl.  What version?  It matters a lot, as you will read below.
>>
>> The Alfresco connector was originally submitted by Piergiorgio Lucidi
>> under the direction of SourceSense.  My understanding is that he had no
>> trouble getting access tokens with the connector, but unfortunately on the
>> other end (mapping users to access tokens) the original Alfresco API's
>> didn't do this.  Since then, I believe, Alfresco has completely revamped
>> their API's, and they have a REST-style API available to do the job (or so
>> I am told).  A company called Zaizi did some work on it and was supposed to
>> contribute the updated connector, but for two releases that hasn't
>> happened.  But it is possible that the connector is in GitHub somewhere?
>>
>> In short, Alfresco is a bit of a mess, and I would very much like to get
>> it repaired to a point where it is usable fully.
>>
>> If your instance has the REST API, and you can provide me with the REST
>> API documentation for your Alfresco instance, I am happy to set up a branch
>> to build an Alfresco REST connector from scratch (provided it looks like
>> everything works the way it is supposed to).  Building a connector in this
>> way will take usually a couple of weeks, and you MUST have access to the
>> instance you are trying to crawl, and be willing to test the connector
>> against it and reiterate.  There is a chance we'd fail, but with the
>> documentation available in advance, the chances of that would be low.
>>
>> Thoughts?
>> Karl
>>
>>
>> On Wed, Jun 11, 2014 at 1:58 AM, lalit jangra <lalit.j.jangra@gmail.com>
>> wrote:
>>
>>> Thanks Karl,
>>>
>>> So its a show stopper now.
>>>
>>> As a fallback mechanism, i am looking for alfresco only connector for
>>> ACL storing mechanism but can you confirm if alfresco specific connector
>>> supports this feature or not.
>>>
>>> And finally if no all the ways, what would be the optimum way to start
>>> implementing the same.
>>>
>>> Regards.
>>>
>>>
>>> On Wed, Jun 11, 2014 at 12:47 AM, Karl Wright <daddywri@gmail.com>
>>> wrote:
>>>
>>>> Hi Lalit,
>>>>
>>>> CMIS does not give a way for a user to query for ACLs, so repository
>>>> document security is not supported for that connector.  Documents indexed
>>>> by CMIS are thus "wide open" and will not be restricted from being
>>>> searchable by anybody.
>>>>
>>>> This is, unfortunately, a limitation of CMIS -- at least, CMIS at the
>>>> time the connector was implemented.  Feel free to submit patches to add
>>>> security to the connector if the spec has evolved to the point where it is
>>>> possible.
>>>>
>>>> Thanks,
>>>> Karl
>>>>
>>>>
>>>>
>>>> On Tue, Jun 10, 2014 at 6:38 PM, lalit jangra <lalit.j.jangra@gmail.com
>>>> > wrote:
>>>>
>>>>> Thanks Karl,
>>>>>
>>>>> As per your suggestions, i am able to see ACLs into solr index (I made
>>>>> stored="true" for ACLs in schema.xml) as below. I can see permissions
for
>>>>> Sharepoint as well as shared drive but for CMIS, i am not able to see
any
>>>>> permissions apart from default stored. Am i missing anything in CMIS?
>>>>>
>>>>> *Sharepoint*:
>>>>>
>>>>>
>>>>>         "allow_token_share": [
>>>>>
>>>>>           "__nosecurity__"
>>>>>
>>>>>         ],
>>>>>
>>>>>         "deny_token_share": [
>>>>>
>>>>>           "__nosecurity__"
>>>>>
>>>>>         ]
>>>>>
>>>>>       },
>>>>>
>>>>>       {
>>>>>
>>>>>         "content_name": "Alfresco-in-an-Hour.pdf"
>>>>>
>>>>>         "deny_token_document": [
>>>>>
>>>>>           "SP+Group:DEAD_AUTHORITY"
>>>>>
>>>>>         ],
>>>>>
>>>>>         "allow_token_document": [
>>>>>
>>>>>           "SP+Group:GTest+lalit+Portal+Visitors",
>>>>>
>>>>>           "SP+Group:GTest+lalit+Portal+Owners",
>>>>>
>>>>>           "SP+Group:GRestricted+Readers",
>>>>>
>>>>>           "SP+Group:GTest+lalit+Administrators",
>>>>>
>>>>>           "SP+Group:GTest+lalit+Portal+Members",
>>>>>
>>>>>           "SP+Group:Uc%3A0%28.s%7Ctrue",
>>>>>
>>>>>           "SP+Group:GHierarchy+Managers",
>>>>>
>>>>>           "SP+Group:GApprovers",
>>>>>
>>>>>           "SP+Group:GViewers",
>>>>>
>>>>>           "SP+Group:GDesigners"
>>>>>
>>>>>         ],
>>>>>
>>>>>
>>>>>
>>>>> *Share Drive:*
>>>>>
>>>>>       {
>>>>>
>>>>>         "deny_token_share": [
>>>>>
>>>>>           "AD+Group:DEAD_AUTHORITY"
>>>>>
>>>>>         ],
>>>>>
>>>>>         "content_name": "hello.txt",
>>>>>
>>>>>         "content_modifier": "lalitjangra",
>>>>>
>>>>>         "deny_token_document": [
>>>>>
>>>>>           "AD+Group:DEAD_AUTHORITY"
>>>>>
>>>>>         ],
>>>>>
>>>>>                "id": "file://///SDD/lalit/manifoldtest/hekko.txt",
>>>>>
>>>>>         "allow_token_document": [
>>>>>
>>>>>           "AD+Group:S-1-5-18",
>>>>>
>>>>>           "AD+Group:S-1-5-21-2630432783-15384281-2988178474-12088",
>>>>>
>>>>>           "AD+Group:S-1-5-21-2630432783-15384281-2988178474-12147",
>>>>>
>>>>>           "AD+Group:S-1-5-21-2630432783-15384281-2988178474-12148",
>>>>>
>>>>>           "AD+Group:S-1-5-21-2630432783-15384281-2988178474-12149",
>>>>>
>>>>>           "AD+Group:S-1-5-21-2630432783-15384281-2988178474-12150",
>>>>>
>>>>>           "AD+Group:S-1-5-21-2630432783-15384281-2988178474-12217",
>>>>>
>>>>>           "AD+Group:S-1-5-21-2630432783-15384281-2988178474-15154",
>>>>>
>>>>>           "AD+Group:S-1-5-21-2630432783-15384281-2988178474-8005",
>>>>>
>>>>>           "AD+Group:S-1-5-32-544"
>>>>>
>>>>>         ],
>>>>>
>>>>>
>>>>>
>>>>>         "allow_token_share": [
>>>>>
>>>>>           "AD+Group:S-1-1-0",
>>>>>
>>>>>           "AD+Group:S-1-5-32-544"
>>>>>
>>>>>         ],
>>>>>
>>>>>
>>>>>
>>>>>  *CMIS *:
>>>>>
>>>>>
>>>>>
>>>>>                 "allow_token_share": [
>>>>>
>>>>>           "__nosecurity__"
>>>>>
>>>>>         ],
>>>>>
>>>>>         "deny_token_document": [
>>>>>
>>>>>           "__nosecurity__"
>>>>>
>>>>>         ],
>>>>>
>>>>>         "deny_token_share": [
>>>>>
>>>>>           "__nosecurity__"
>>>>>
>>>>>         ],
>>>>>
>>>>>         "allow_token_document": [
>>>>>
>>>>>           "__nosecurity__"
>>>>>
>>>>>         ]
>>>>>
>>>>>
>>>>> Regards.
>>>>>
>>>>>
>>>>> On Tue, Jun 10, 2014 at 5:13 PM, Karl Wright <daddywri@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hi Lalit,
>>>>>>
>>>>>> You always use the Active Directory authority for Windows shared
>>>>>> drive authorization.  But you do not for SharePoint; you typically
use
>>>>>> SharePoint/Native and SharePoint/AD.  You therefore should have a
second
>>>>>> authority group for SharePoint that is distinct from the one for
Windows.
>>>>>>
>>>>>> Each access token is qualified with the name of the ManifoldCF
>>>>>> authority group, so there is never any chance that they will collide.
 So
>>>>>> it is perfectly fine to have multiple authority groups in a single
>>>>>> installation, in fact we'd expect you to.
>>>>>>
>>>>>> As for the Solr plugin, you can either download it here:
>>>>>>
>>>>>> http://manifoldcf.apache.org/en_US/download.html
>>>>>>
>>>>>> ... or you will find that it is there in the bin distribution
>>>>>> already, under the "integration" directory.  Please have a look and
read
>>>>>> the README.
>>>>>>
>>>>>> Karl
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Jun 10, 2014 at 11:41 AM, lalit jangra <
>>>>>> lalit.j.jangra@gmail.com> wrote:
>>>>>>
>>>>>>> Thanks Karl,
>>>>>>>
>>>>>>> I am having two content repositories based on active directory
>>>>>>> authentication : SharePoint 2010 and Windows Share Drive, so
i am using
>>>>>>> active directory as authority type in authority connection. All
my
>>>>>>> connections are working fine as well as job is running good but
i am still
>>>>>>> not able to see any ACL information in solr.
>>>>>>>
>>>>>>> Do i need to enable any configuration in solr to see the same?
>>>>>>>
>>>>>>> Also by Solr Plugin, is it a jar or connector which needs to
be
>>>>>>> placed inside solr application server or is it that i need to
write custom
>>>>>>> code to make search query permission aware?
>>>>>>>
>>>>>>> Can you please guide?
>>>>>>>
>>>>>>> Regards.
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Jun 10, 2014 at 1:59 PM, Karl Wright <daddywri@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi Lalit,
>>>>>>>>
>>>>>>>> (1) You need first to specify "SharePoint Native" as the
authority
>>>>>>>> type in your SharePoint repository connection.  You'd use
"Active
>>>>>>>> directory" as the authority type only if you were using the
"Active
>>>>>>>> directory" authority.  To be precise:
>>>>>>>>
>>>>>>>> - If you are using "SharePoint/Native", "SharePoint/AD",
or any
>>>>>>>> combination of these for your authority group, use "SharePoint
native"
>>>>>>>> authority type
>>>>>>>> - If you are using "Active Directory", use "Active directory"
as
>>>>>>>> your authority type
>>>>>>>>
>>>>>>>> (2) You should see acl information get posted to Solr if
you have
>>>>>>>> everything configured right.
>>>>>>>> (3) On the Solr side, you need to install and configure the
>>>>>>>> appropriate Solr plugin.  Each plugin comes with a README,
which describes
>>>>>>>> how to set up the schema on Solr to support security.
>>>>>>>>
>>>>>>>> Thanks!
>>>>>>>> Karl
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Jun 10, 2014 at 8:51 AM, lalit jangra <
>>>>>>>> lalit.j.jangra@gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> I am working on Apache MCF 1.5.1 indexing Sharepoint
2010
>>>>>>>>> repository storing index in Solr 4.6.
>>>>>>>>>
>>>>>>>>> For permissions, i followed below steps.
>>>>>>>>>
>>>>>>>>> 1. Created a new authority group called "SharePoint Group"
in MCF.
>>>>>>>>> 2. Created a new User Mapping connection called "SharePoint
User
>>>>>>>>> Mapping" using authority group "SharePoint Group" in
step 1. For user
>>>>>>>>> mapping, i used "Regular Expression" mapping and used
default
>>>>>>>>> expressions.When i save it, it says "Connection Working".
>>>>>>>>> 3. Created a new Authority connection called "SharePoint
Authority
>>>>>>>>> Connection" and using "SharePoint Group"as in step1 as
authority group
>>>>>>>>> type, using "SharePoint User Mapping" as prerequisite,
using my own domain
>>>>>>>>> controller and other related details. When i save it,
it says "Connection
>>>>>>>>> Working".
>>>>>>>>>
>>>>>>>>> Next i have created a new repository connection for SharePoint
>>>>>>>>> called "SharePoint Connection" selecting authority group
called "SharePoint
>>>>>>>>> Group"  from pull down list ,  providing all relevant
details for server ,
>>>>>>>>> and choosing authority type as "Active Directory". On
saving, it worked
>>>>>>>>> fine without any error.
>>>>>>>>>
>>>>>>>>> Finally i created a new SharePoint job providing following
details.
>>>>>>>>> 1. Connections : repository connection as "SharePoint
Connection"
>>>>>>>>> and output connection as "Solr Connection".
>>>>>>>>>  2. Choosing paths for document library, shared documents,
>>>>>>>>> announcements & lists.
>>>>>>>>> 3. Selecting all metadata in metadata tab selecting all
metadata.
>>>>>>>>> 4. Mapped required metadata fields to solr schema fields.
>>>>>>>>> 4. Enabled the security.
>>>>>>>>>
>>>>>>>>> Now i started the job and i can see SharePoint content
getting
>>>>>>>>> indexed and stored in solr. I can verify it using solr
admin query console.
>>>>>>>>>
>>>>>>>>> But i am not seeing any additional ACL information. How
can i
>>>>>>>>> verify that ACL & permission information is also
stored in Solr. Do i need
>>>>>>>>> to change Solr configurations also?
>>>>>>>>>
>>>>>>>>> Please help.
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>> Lalit Jangra.
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Regards,
>>>>>>> Lalit Jangra.
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Regards,
>>>>> Lalit Jangra.
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Regards,
>>> Lalit Jangra.
>>>
>>
>>
>
>
> --
> Regards,
> Lalit Jangra.
>

Mime
View raw message